Cybersecurity

Decrypting outbound data a key to security

digital key

When researchers leave the Library of Congress, their bags are checked to ensure they’re not carrying out valuable documents. But not nearly enough federal agencies are doing the same with encrypted data.

Failing to decrypt and inspect outbound network traffic poses a security risk, says Randy Wood, federal vice president at F5 Networks, an application security firm.

Wood said he recently gave a briefing to military personnel and contractors at the Space and Naval Warfare Systems Command. The presentation covered the virtues of decrypting and inspecting outbound network traffic, and “it was as if people had seen fire for the first time,” Wood said at an Aug. 6 media briefing hosted by his firm. Firms like Wood’s could have much to gain commercially from greater federal focus on decrypting network traffic for threats.

The absence of decryption played a significant role in the recent hack of the Joint Chiefs of Staff’s unclassified email network, a former intelligence official familiar with the network told FCW. The Russian hackers believed to be behind the breach took advantage of encrypted traffic that the Joint Chiefs were not decrypting and inspecting, the former official said on the condition of anonymity. Moreover, the hackers could have been targeting the unclassified network in part because classified data occasionally spills onto it.

The broader subject of encryption has gotten more attention from lawmakers since the large-scale hacks of the Office of Personnel Management. Security practices such as encryption should “become the norm rather than the exception,” Rep. Elijah Cummings (D-Md.) said during a June 16 House Oversight and Government Reform Committee hearing. (A Department of Homeland Security official has nonetheless said that encryption would not have protected the data in the case of the OPM breaches.)

There is not much in the way of public measurements of how much federal network traffic is encrypted. Civilian agencies aside from DHS and the Justice Department are less likely to encrypt data at rest or in transit, according to Chris Cummiskey, a former DHS official turned IT security consultant. Agencies should prioritize more sensitive data for protection rather than rush to encrypt everything, he told FCW. “The government just doesn’t have a very good handle on the myriad datasets that they have in terms of prioritizing” what to secure, Cummiskey said.

Brian Taggart, a senior systems engineer at ClearShark, an IT vendor that works with F5 Networks, argues that the coming use of secure sockets layer (SSL), a common encryption protocol, for exfiltration in data breaches makes decrypting SSL traffic an imperative. “I think what’s most remarkable about some of the attacks we’ve seen in the last 18 months is [that] the data [exfiltration] was not SSL, but it’s going to be,” he said at the media briefing.

Malware recently uncovered by cybersecurity firm FireEye underlines that point. The malware, which the firm dubbed Hammertoss and linked to the Russian government, uses encrypted sessions on Twitter to relay commands and extract data from breached networks.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.